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[57] ABSTRACT 

A virtual private network for communicating between a 
server and clients over an open network uses an applications 
level encryption and mutual authentication program and at 
least one shim positioned above either the socket, transport 
driver interface, or network interface layers of a client 
computer to intercept function calls, requests for service, or 
data packets in order to communicate with the server and 
authenticate the parties to a communication and enable the 
parties to the communication to establish a common session 
key. Where the parties to the communication are peer-to- 
peer applications, the intercepted function calls, requests for 
service, or data packets include the destination address of the 
peer application, which is supplied to the server so that the 
server can authenticate the peer and enable the peer to 
decrypt further direct peer-to-peer communications. 

28 Claims, 7 Drawing Sheets 
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MULTI-ACCESS VIRTUAL PRIVATE 
NETWORK 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 5 
This invention relates a system and method for allowing 

private communications over an open network, and in par- 
ticular to a virtual private network which provides data 
encryption and mutual authentication services for both 
client/server and peer-to-peer applications at the 10 
applications, transport driver, and network driver levels. 

2. Discussion of Related Art 

A virtual private network (VPN) is a system for securing 
communications between computers over an open network 15 
such as the Internet. By securing communications between 
the computers, the computers are linked together as if they 
were on a private local area network (LAN), effectively 
extending the reach of the network to remote sites without 
the infrastructure costs of constructing a private network. As 2Q 
a result, physically separate LANs can work together as if 
they were a single LAN, remote computers can be tempo- 
rarily connected to the LAN for communications with 
mobile workers or telecommuting, and electronic commerce 
can be carried out without the risks inherent in using an open 25 
network. 

In general, there are two approaches to virtual private 
networking, illustrated in FIGS. 1A and IB. The first is to 
use a dedicated server 1, which may also function as a 
gateway to a secured network 2, to provide encryption and 30 
authentication services for establishment of secured links 3 
between the server 1 and multiple clients 4-6 over the open 
network 7, represented in FIG. 1A as a cloud, while the 
second is to permit private communications links 8 to be 
established between any two computers or computer sys- 35 
terns 9-12 on network 7, as illustrated in FIG. IB. 

The advantages of a client/server arrangement such as the 
one shown in FIG. 1A are that the server can handle 
functions requiring the majority of the computing resources, 
increasing the number of potential clients, and that manage- 40 
ment of the network, including key management is central- 
ized. The disadvantage of a client/server network of this type 
is that peer-to-peer communications links between applica- 
tions on the client computers cannot utilize the security and 
management functions provided by the server, leaving such 45 
communications unprotected. On the other hand, the advan- 
tage of the direct peer-to-peer approach illustrated in FIG. 
IB is that it permits secured links to be established between 
any computers capable of carrying out the required security 
functions, with the disadvantages being the cost of config- 50 
uring each computer to carry-out encryption, authentication, 
and key management functions, and the lack of central 
control. 

In both the client/server and peer-to-peer approaches, a 
virtual private network can in theory be based either on 55 
applications level technology or can operate at a lower level. 
Generally, however, peer-to-peer "tunneling** arrangements 
require modification of the lower layers of a computer's 
communications architecture, while client/server arrange- 
ments can use the applications level approach because less 60 
modification of the clients is required, and thus the two 
approaches are in practice mutually exclusive. The present 
invention, on the other hand, seeks to provide a virtual 
private network which utilizes a client/server approach, 
including centralized control of encryption, authentication, 65 
and key management functions, while at the same time 
enabling secured peer-to-peer communications between 
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applications, by utilizing the server to provide authentication 
and session key generation functions for both client to server 
communications and peer-to-peer communications, provid- 
ing a virtual private network capable of serving both as an 
extended intranet or wide area network (WAN), and as a 
commercial mass marketing network, with high level mutual 
authentication and encryption provided for all communica- 
tions. 

In order to completely integrate the two approaches and 
maximize the advantage of each approach, the invention 
maintains the applications level infrastructure of prior client 
server private networking arrangements, while adding shims 
to lower levels in order to accommodate a variety of 
peer-to-peer communications applications while utilizing 
the applications level infrastructure for authentication and 
session key generation purposes. This results in the syner- 
gistic effect that not only are existing peer-to-peer tunneling 
schemes and applications level client server security 
arrangements combined, but they are combined in a way 
which greatly reduces implementation costs 

In order to understand the present invention, it is neces- 
sary to understand a few basic concepts about computer to 
computer communications, including the concepts of "lay- 
ers" and communications protocols, and of mutual authen- 
tication and file encryption. Further information about layers 
and protocols can be found in numerous sources available on 
the Internet, a few of which are listed at the end of this 
section, while a detailed description of a mutual authenti- 
cation and encryption system and method suitable for use in 
connection with the present invention can be found in U.S. 
Pat. No. 5,602,918, which is incorporated herein by refer- 
ence. In general, the basic communications protocols and 
architecture used by the present invention, as well as 
authentication, encryption, and key management schemes, 
are already well-known, and can be implemented as a matter 
of routine programming once the basic nature of the inven- 
tion is understood. The changes made by the present inven- 
tion to the conventional client server virtual private network 
may be thought of as, essentially, the addition of means, 
most conveniently implemented as shims, which add a 
secured mutual authentication and session key generation 
channel between the server and all parties to a 
communication, at all levels at which a communication can 
be carried out. 

Having explained the key differences between the present 
invention and existing systems, the basic concepts of layers 
and so forth will now be briefly explained by way of 
background. First, the concept of "layers," "tiers," and 
"levels," which essential to an understanding of the 
invention, simply refers to libraries or sets of software 
routines for carrying out a group of related functions, and 
which can conveniently be shared or called on by different 
programs at a higher level to facilitate programming, avoid- 
ing duplication and maximizing computer resources. For 
example, the Windows NT device driver architecture is 
made up of three basic layers, the first of which is the 
Network Driver Interface Specification (NDIS 3.0) layer, the 
second of which is called the Transport Driver Interface 
(TD1) layer, and the third being the file systems. These layers 
are generically referred to as the network driver layer, the 
transport or transport driver layer, and the applications layer. 

In the Windows NT architecture, the TDI layer formats 
data received from the various file systems or applications 
into packets or datagrams for transmission to a selected 
destination over the open network, while the NDIS layer 
controls the device drivers that send the data, packets, or IP 
datagrams, for example by converting the stream of data into 
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a waveform suitable for transmission over a telephone line cations level security system to encrypt files to be 

or a twisted pair cable of the type known as an Ethernet. transmitted, and to then utilize existing communications 

By providing layers in this manner, an applications soft- la y ers such 38 Winsock, or TCP/IP directly. This is the 

ware programmer can design an application program to approach taken by the comnKrcially available access control 

supply data to the TDI layer without having to re-program 5 system known as SmartGATE™, developed by V-One Corp 

any of the specific functions carried out by that layer, and all of Gerraantown, Md., which provides both encryption and 

of the transmission, verification, and other functions ^LT^l?^ »PP 1 «?"°» evel ulll,zln S ■ 

. . . mi u ♦ i f .u mi dedicated server known as an authentication server and 

required to send a message will be taken care of the TDI authenlication client software mstalled al the applications 

layer without further involvement by the applications soft- levd on the diem com ters , A description of the manner in 

ware. In a sense, each layer simply accepts data from the « which encryption and mutuaI authentication is carried out 

higher layer and formats it by adding a header or converting may be found in the a bove-cited U.S. Pat. No. 5,602,918. 

the data in a manner which is content independent, with Whi i e tne principles of the invention are applicable to other 

retrieval of the data simply involving reverse conversion or client/server based virtual private networks, SmartGATE™ 

stripping of the headers, the receiving software receiving the is used as an example because it provides the most complete 

data as if the intervening layers did not exist. 15 range of mutual authentication and encryption services 

In the case of Internet communications, the most com- currently available, 

monly used set of software routines for the transport or TDI The present invention can be implemented using the 

layer, which takes care of the data formatting and existing SmartGATE™ system, but adds mutual authentica- 

addressing, is the TCP/IP protocol, in which the transport tioD and encryption services to lower layers by intercepting 

control protocol (TCP) packages the data into datagrams and 20 faction calls or data packets and, during initialization of a 

provides addressing, acknowledgements, and checksum communications link, establishing separate channels 

functions, and the internet protocol (IP) further packages the betwecn the party m ™S the communication and the 

TCP datagrams into packets by adding additional headers authentication server, and between the authentication server 

used in routing the packets to a destination address. Other ? nd th * p * rty * ^ m ?° c ™ mcatl ° n ; s ° as 

* i u- u i • l j j * il th, , 25 t0 mutually authenticate the parties with respect to the 

transport protocols which can be inc uded in the TDI layer and ^ ^ lQ establish a ^ ^ 

include the user diagram protocol (U DP), the internet con- for direc , ^^^1^ between the parties . 

U01 message protocol (ICMF), and non-IH based protocols A number of proIocols 

exist which can be used, in total or 

such as Netbeui or IPX. in part ^ tQ implement lhe mu tual authentication and encryp- 

Additional"protocols" are may be used at the applications 3Q tion services at the lower layers, using the same basic 

level, although these protocols have nothing to do with the authentication and encryption scheme currently imple- 

present invention except that they may be included in the mented by SmartGATE™ at the applications level. These 

applications programs served by the network. Common include, by way of example, the SOCKS protocol, which 

applications level protocols which utilize the TCP/IP pro- places a shim between the TDI or transport layer and the 

tocol include hypertext transfer protocol (HTTP), simple 3J applications, and the commercially available program, 

mail transfer protocol (SMTP), and file transfer protocol known as SnareNet, which operates at the network driver 

(FTP), all of which operate at the layer above the transport level and can be directly utilized in connection with the 

l aver - present invention. 

Some applications are written to directly call upon the On the other hand, a network level implementation such 
TCP functions. However, for most applications utilizing a 40 as the SKIP protocol, which operates below the TDI layer to 
graphical user interface conveniently rely on a set of soft- encrypt the datagrams, and which in its description explic- 
ware routines which are considered to operate above the TDI itly precludes the generation of session keys (see the above 
layer, and are known as sockets. Sockets serve as an cited U.S. Pat. No. 5,602,918), is. fundamentally different in 
interface between the TCP set of functions, or stack, and concept than the present invention. Similarly, alternative 
various applications, by providing libraries of routines 45 implementations such as Point-to-Point Tunneling Protocol 
which facilitate TCP function calls, so that the application (PPTP) which involve modifying the TCP/IP stack and/or 
simply has to refer to the socket library in order to carry out hardware to provide encryption, as opposed to inserting 
the appropriate function calls. For Windows applications, a shims, are not utilized by the preferred embodiment of the 
commonly used non-proprietary socket is the Windows present invention, although individual aspects of the proto- 
socket, known as Winsock, although sockets exist for other 50 col could perhaps be used, and the present system could be 
operating systems or platforms, and alternative sockets are added to computers also configured to accept PPTP corn- 
also available for Windows, including the Winsock 2 socket munications. 

currently under development. Xne SmartGATE™ system uses public key and DES 

. In order to implement a virtual private network, the encryption to provide two-way authentication and 56-bit 

encryption and authentication functions must be carried out 55 encrypted communications between a server equipped with 

at one of the above "levels," for example by modifying the the SmartGATE program and client computers equipped 

network drivers to encrypt the IP datagrams, by inserting with a separate program. Currently, SmartGATE™ operates 

authentication headers into the TCP/IP stacks, or by writing at the highest level, or applications level, by using shared 

applications to perform these functions using the existing secret keys to generate a session key for use in further 

drivers. If possible, it is generally desirable to minimize 60 communications between the authentication server or gate- 

modification of the existing levels by adding a layer to way and the client program. Since the session key depends 

perform the desired functions, calling upon the services of on the secret keys at the gateway and client sides of the 

the layer below, while utilizing the same function calls so communication, mutual authentication is established during 

that the higher layer also does not need to be modified. Such generation of the session key, which can then be used to 

a layer is commonly referred to as a "shim." 65 encrypt further communications. 

As indicated above, the preferred approach to implement- When installed on a client system, the SmartGATE™ 

ing client/server virtual private networks is to use an appli- client software reads a request for communications by an 


03/18/2004 , EAST version: 1.4.1 


6,061,796 


10 


15 


20 


25 


applications program, such as a browser program, and then 
proceeds to establish its own communications link with the 
destination server to determine if the server is an authenti- 
cation server. If it is not, control of communications is 
( relinquished, but if it is, then the security program and the 
server carry out a challenge/response routine in order to 
generate the session key, and all further communications are 
encrypted by the security program. Although this program is 
placed between the Winsock layer and the applications, it 
does not function as a shim, however, because it only affects 
communications directed to the authentication server. 

Having briefly summarized the concepts used by the 
present invention, including the concepts of layers, 
protocols, and shims, and having described a specific appli- 
cations level security program which is to be modified 
according to the present invention by adding shims in a way 
which enables secured authentication and session key gen- 
eration channels to be set up from the lower layers, it should 
now be possible to understand the nature of the invention, 
and in particular how it integrates the two approaches to 
virtual private networking in a way which greatly expands 
the concept and yet can easily be implemented. More details 
will be given below, .but as a final observation in this 
background portion of the patent specification, it should be 
noted that while the overall concept of the invention is in a 
sense very simple, it is fundamentally at odds with present 
approaches. For example, the literature is replete with ref- 
erences to conflicts between VPN standards and 
implementations, as exemplified by the title of an article 
from LAN Times On-Line, September 1996, (hup:// 30 
www.wcmh.com/), which reads Clash Over VPN 
Supremacy. Even a cursory search of the available literature 
indicates that the amount of information and choices avail- 
able to those wishing to set up a virtual private network is 
overwhelming. One can choose between Netscape Commu- 
nications Secure Socket Layer, Open Market Inc/s Secure 
HTTP, Microsoft's PPTP, among others. However, all of 
these approaches operate at a single level, and force a choice 
between establishing a network of the type shown in FIG. 
1A and a network of the type shown in FIG. IB. Only the 
present invention offer the advantages of both approaches, 
without the inflexibility of client/server arrangements or the 
costs of more distributed architectures. 

For further information on the various competing VPN 
protocols and systems, see also The Development of Net- 
work Security Technologies, Internet Smartsec, February 
1997 (http://www.smartsec.se), which compares Smart - 
GATE™ to other application level security systems, includ- 
ing PPTP, SSL, and S-HTTP; Point-To-Point Tunneling 
Protocol (PPTP) Frequently Asked Questions, Microsoft 
Corp., date unknown, (http://www.microsoft.com), Simple 
Key-Management for Internet Protocols (SKIP), Aziz et al., 
date unknown, (http://skip.incog.com), and SOCKS Proto- 
col Version 5, RFC 1928, Leech ct al., March 1996 (http:// 
andrcw2.andrew.crau.edu) (this document describes a pro- 
tocol involving a TDI shim). For more general information 
on security problems, Internet protocols, and sockets, see 
Introduction to the Internet Protocols, Charles L. Hedrick, 
Rutgers University, 1987 (http://oac3.hsc.uth.tmc.edu); Win- 
dows Sockets — Where Necessity is the Mother of 
Reinvention, Stardust Technologies, Inc., 1996, (http// 
www.stardust.com), and Secure Internet Connections, LAN 
Times, June 17, 1996 (Ibid). 

SUMMARY OF THE INVENTION 
It is accordingly a principal objective of the invention to 
provide a client/server virtual private network which is 
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capable not only of carrying out authenticated secure com- 
munications over an open network between an authentica- 
tion server and clients, but also authenticated secure peer- 
to-peer communications. 

It is also an objective the invention to provide a virtual 
private network that provides data encryption and mutual 
authentication for both client/server and peer-to-peer com- 
munications for different-types of applications, using both 
the applications level and lower levels of a communications 
hierarchy. 

It is a further objective of the invention to provide a 
client/server virtual private network which can provide both 
client/server and peer-to-peer encryption and authentication 
services for any application sharing a specified socket or 
sockets, whether or not the application is recognized by the 
encryption and authentication program. 

It is a still further objective of the invention to provide a 
client/server virtual private network which can provide 
encryption and authentication services at the applications 
level, transport driver interface level, and network interface 
level, without the need for modifying either the communi- 
cation driver or network driver, or any sockets utilizing the 
communications driver interface. 

It is yet another objective of the invention to provide a 
virtual private network which provides encryption and 
authentication services for peer-to-peer communications 
while maintaining centralized control of key distribution and 
management functions. 

Finally, it is also an objective of the invention to provide 
a virtual private network which provides encryption and 
authentication services for peer-to-peer communications and 
in which registration is carried out by a central gateway 
server. 

These objectives of the invention are accomplished by 
providing a virtual private network for communicating 
between a server and clients over an open network and in 
which the clients are equipped with an applications level 
encryption and mutual authentication program which 
includes at least one shim positioned above either the socket, 
transport driver interface, or network interface layers of a 
client computers communications hierarchy, and which 
intercepts function calls or data packets in order to authen- 
ticate the parties to the communication by establishing 
secured channels between the server and the parties to the 
communication, prior to establishment of the secured com- 
munications link between the parties, in order to carry out 
mutual authentication and session key generation functions. 

More particularly, according to the principles of a pre- 
ferred embodiment of the invention, client communications 
software is provided which, at the socket or transport driver 
interface levels, intercepts function calls to the socket or 
transport driver and directs calls to the authentication server 
in order to perform encryption and authentication routines, 
and at the network driver interface, performs encryption and 
authentication functions by intercepting the datagrams or 
data portions of the packets transmitted by the transport 
driver interface based on communications between the 
authentication server and the client. According to this aspect 
of the invention, a system of providing authentication and 
encryption services for the purpose of establishing a virtual 
private network includes a plurality of shims arranged to 
operate at different protocol levels in order to establish a 
common secure communications link to an authentication 
server. 

In one especially preferred embodiment of the invention, 
the client software includes a Winsock shim arranged to 


03/18/2004, EAST version: 1.4.1 


6,061,796 

7 8 

intercept function calls to the Winsock library on a client DETAILED DESCRIPTION OF THE 
machine and redirect initial communications through the PREFERRED EMBODIMENTS 
authentication client software to the authentication server, so FIG. 2 illustrates the operation of a client authentication 
that any function calls to the Winsock library of programs program which is utilized in the present invention. An 
are intercepted by the shim and carried out by the applica- 5 example of such a program is the SmartGATE™ program 
tions level security program. In this embodiment, the client discussed briefly above, although other applications level 
authentication software substitutes its own function calls for security programs, whether or not token based, could be 
the original function calls in order to establish a secured modified in a manner similar to that discussed in the 
communications link to the authentication server over which following description. The illustrated hierarchy is the Win- 
such functions as mutual authentication between the client 10 dows NT architecture, although versions of SmartGATE™ 
and server, indirect authentication of peer applications by exist for olner architectures, and the invention could easily 
the now trusted server, session key generation, are carried be adapted for use with any version of SmartGATE™, 
out, as well as ancillary functions such as on-line registration including UNIX and Macintosh versions, as well as for use 
(OLR), utilizing the unmodified original Winsock library wth applications level security programs designed for com- 
and TCP/IP communications stacks. is munications architectures other than those supported by 
By inserting a shim at the Winsock level, an applications SmartGATE™ . Conversely, it is intended that the present 
level client/server based security program such as Smart- wvcoiion can be used with authentication and encryption 
GATE™ can be used to provide secure communications for ^ hem / s ot ^ r c lha „ n tha K l T use c d SmartGATC™ and dis- 
any application which utilizes the Winsock library. In closed m U.S. Pat. No. 5 602,918. For purposes of 
addition, by including analogous shims at other levels, the 20 ™ m M ence >. lhe [ efor f e ' «* represented by Smart- 
invention can be used to secure virtually any communica- GATE IS ^P 1 * referred 10 as client authentication soft- 
tions application, including those which by-pass the TDI ware - 

layer and communicate directly with the network driver . In addltl0n > it noted that the client computer architectures 

j eve l illustrated in FIGS, 3-6, which are modified versions of the 

Instead of the current array of mutually exclusive alter- » ? ^hitecture of FIG. 2, is to be used with an overall network 

native methods and systems of establishing secured com- h * on \ su ° h f. lhe one l ^ iled ' D ' 6 ' ^ ' ncludes 

„ 4 i *u ■ .i_ an authentication server that may be a SmartG AT E™ server, 

munications over an open network, the invention thus pro- , , J , , . . ' 

■j • 1 • . \ a *u j j * L i c or another server depending on the client authentication 

vides a single integrated method and system capable of c ™. " . 5 , 7 ' 7, 

. v j . software. I ne invention is not merely the addition of shims 

carrying out both client/server communications and peer- to- . _ t . " l , 

• . . ■ * r • w to the client sortware, but invo Ives the manner in which the 

peer communications between a wide vanety of commum- 3U , . ' ... , r . , 

.. ru*u*u i »- shims are used in the establishment of the authentications 

cations applications regardless of whether the applications , , . t 

f . 1 . 1 . . » t 1 and key generation links to the server, 

use a socket or even commonly accepted internet protocols, r . & 

with complete mutual authentication and encryption of data J lurmn S l ° HG - 2 > whlch provides background for the 

files at all levels and between all parties to the network. description of the invention illustrated in FIGS. 3-6, the 
It .„ , ■ * j ii_ * .1 * . ( . * . A ,35 client authentication software 20 is situated above the 

It will be appreciated that the term virtual private net- , , r , u 4 _ ™ T , , . , . , , 

i»- . , u «i r ri <u < «u ■ t boundary of the transport or TDI layer 21 and is designed to 

work is not to be taken as limiting, and that the principles ' , . r , % t . & 

c . , 1 . j t utilize a socket 22, such as Winsock, to carry out commu- 

01 the invention can be applied to any remote access ... . ' . . . • ™^ ^ 

u i_- i_ * 1 1 * mcations with the authentication server 23 shown in FIG. 6 

schemes which utilize the Internet or other relatively inse- . „ c . , . ™ 0/fT1 IIT ^„ . 

, , ., - 4 3 by means of a transport protocol such as TCP/IP, UDR or the 
cure networks to provide access for remote users, corporate u . . , . t , ' , , 
in)Mrwltc an A ^Z trnn „ Mmm „„ 40 like, which in turn supply datagrams or packets to a hard- 
intranets, and electronic commerce. . ~ A . ? mi „ * * r - , 

ware driver layer 24, such as NDIS 3.0, of a network or 

BRIEF DESCRIPTION OF THE DRAWINGS modem connection 25. 

FIG. 1A is a schematic diagram of a client/server virtual In operation, the client authentication software 20 inter- 
private network. cc P ts interconnect calls 26 form client authentication soft- 

FIG. IB is a schematic diagram of an alternative virtual 45 war L c supported applications 27 and, if the calls arc directed 

private network based on peer-to-peer communications. t0 lhe authentication server 23, or to a server 28 situated on 

FIG. 2 is a functional block diagram showing the opera- a . sc ? ,red nelWork access * co ntro!led the 

tion of an applications level securuy program in a conven- " ^ eSla ^ heS a SCCUr ^ d ^^^nicaUons link to 

tional communications network hierarchy. ih 'uTZ Y ™V a , ppro f nate fun f ° D Calls ™ l ,° A lhe 

itt /--i 1 • c 1 1 ■ . . 50 socket library, which in turn transmits function calls 30 to 

FIG. 3 is a functional block diagram showing the com- ™ T . ' _ iit .- ~ T , - . 

m . .. . , . . . f ^ ..f , t the TDI layer, causing the TDI layer to form datagrams or 

munications network hierarchy of FIG. 1, modified to pro- 1 t 7 / n ( „f A 1 « <*+ (U r „ j 

. , r * ' . i r . packets 31. Datagrams or packets 31 are then formatted over 

vide a second layer of service m accordance with the k d for lransmission b lhe ha ^ ware drivers 24 apd 

pnncples of a preferred embodiment of the invention. ^ {Q ^ communications nelwork in the form of E(nernet 

HG. 4 is a functional block diagram showing the com- 55 packets or analog signals 32 mm]ning the original data . 

munications network hierarchy of FIG. 2, modified to pro- grams from lhe TOI layer 0nce lhe commimica . 

vide a third layer of service in accordance with the principles tions Hnk has been established, client authentication soft- 

of the preferred embodiment. warc 20 encrypts al] forthcr dala communications 34 from 

FIG. 5 is a functional block diagram showing the com- applications 27, which are indicated by dashed lines, before 

munication network hierarchy of FIG. 3, modified to provide 6Q handing them off to the next lower layer in the form of 

a fourth layer of service in accordance with the principles of encrypted files 35. The dashed lines are shown in FIG. 2 as 

the preferred embodiment. extending only to the TDI layer 21, because the datagrams 

FIG. 6 is a schematic diagram of a virtual private network formed by the TDI layer are indistinguishable as to content, 

utilizing the principles of the preferred embodiment of the but it is to be understood that datagrams or packets 31 carry 

invention. 65 b om i D e communications used to establish the secure 

FIG. 7 is a flowchart illustrating a method of implement- channel, and the encrypted files subsequently sent there- 

ing the system of the preferred embodiment. through. 


03/18/2004, EAST version: 1.4.1 


6,0i 

9 

Finally, in the case of SmartGATE™, the authentication 
client software utilizes either a smart card or secured file to 
supply the secret keys used during authentication to generate 
a session key for encryption of further communications, and 
also to carry out certain other encryption and authentication 
functions, although it is of course within the scope of the 
invention to use key distribution and authentication methods 
which do not rely on smartcards or tokens, and the tokens are 
not involved in any of the basic communications functions 
of the client authentication software 20. 

In addition to the applications 27 which communicate 
with the server via the authentication/encryption software 
20, a typical system will have a number of additional 
software applications 36 and 37 capable of carrying out 
communications over the open network, but which the 
authentication client software is not configured to handle, 
and which are not specifically adapted or intended to carry 
out communications with the authentication server. These 
are referred to herein as peer-to-peer applications, and can 
include applications which use the same sockets as the 
authentication client software, applications which directly 
call upon a transport driver interface stack, whether using 
the same protocol as the authentication client software or 
another protocol, all of which arc intended to be represented 
by the TDI layer, and applications which are written to call 
directly upon the hardware drivers. These peer-to-peer appli- 
cations may have their own encryption and authentication 
capabilities, but cannot utilize the services of the authenti- 
cation server or client software, and therefore the function 
calls made by the applications and the files transmitted are 
indicated by separate reference numerals 4(M3. 

It will be appreciated by those skilled in the art that lower 
layer application programs which generate packets in forms 
other than those represented by the TDI layer are also 
possible, and should be considered within the scope of the 
invention, but at present virtually all open network applica- 
tions use at least one of the TDI protocols, and thus while 
these programs may interact directly with the network driver 
layer, and require a network driver layer shim, as will be 
discussed below, are illustrated for purposes of convenience 
as part of the TDI layer applications. 

Turning now to a preferred embodiment of the invention, 
the arrangement shown in FIG. 3 modifies the arrangement 
of FIG, 2 by adding a socket shim 50 between the socket 22 
utilized by the authentication client software 20, the peer- 
to-peer applications 36 which also utilize the socket 20, and 
the authentication client software itself. The shim 50 oper- 
ates by hooking or intercepting call initiation function calls 
40 made to the socket and, in response thereto, having the 
authentication client software initiate communications with 
the authentication server 23, shown in FIG. 6, in order to 
carry out the authentication protocol, as will be discussed in 
more detail below. Shim 50 also causes files 41 intended for 
the TDI layer to be diverted to the authentication software 
for encryption based on the session keys generated during 
the initial communications with the authentication server, 
and transmission as encrypted files 51 addressed to the peer 
application, also shown in FIG. 6, which could also be an 
application on the application server 28. 

Since the basic authentication client software is designed 
to send all communications directly to the authentication 
server, while the peer-to-peer applications are designed only 
to communicate with "peers" 45 and not with the authenti- 
cation server, the principal function of shim 50 is to arrange 
for the destination of address of the communication to be 
supplied to both the authentication client software and to 
authentication server, even though the peer application 
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assumes that it is communicating only with the peer appli- 
cation. This function permits session key encrypted com- 
munications to be forwarded directly to the peer application, 
as illustrated in FIG. 6, while the latter function provides the 

5 authentication server with the client address so that the 
authentication server can establish a secured and authenti- 
cated link with the peer application, via authentication client 
software on the peer computer, and transmit the session key 
to the peer application or at least enable the peer application 

10 to recreate the session so that it can decrypt the encrypted 
files received directly from the client application. 

Thus, while it is appreciated that the use of socket shims 
is well-known, as mentioned above, the socket shim shown 
in FIG. 2 has the unique function of enabling direct peer- 

35 to-peer communications with mediation by the authentica- 
tion server, permitting the highest level of authentication 
service and collateral functions. In addition, because of the 
mediation by the key server, the peer applications do not 
need to have a shared secret key, allowing centralized key 

20 management, with only the authentication server having 
access to all of the client's secret keys. 

FIG. 4 shows the variation of the client authentication 
software 20 in which a TDI shim 52 similar in function to 
the socket shim 50 is provided above the TDI layer. Like the 

25 socket shim, implementation of the TDI shim essentially 
simply involves diverting certain information to the client 
software in order to establish a communications link with 
the authentication server, and subsequently perform encryp- 
tion to obtain encrypted files 54 for transmission directly 

30 through the TDI layer in the usual manner. As with the 
socket shim, TDI shims are not new and can be implemented 
in known manner, by intercepting TDI service requests, but 
with the difference from prior TDI shims that the TDI shim 
works with the authentication software 20 and authentica- 

35 tion server to authenticate communications and generate a 
session key. 

Finally, as shown in FIG. 5, a further layer of authenti- 
cation and encryption may be added by adding a network 

40 driver shim 55, either to the arrangement shown in FIG. 3 
without the TDI shim, in combination with the TDI shim 
shown in FIG. 4, or in combination with the TDI shim of 
FIG. 4 but not the socket shim, to provide for authentication 
of communications at the network driver layer. At this layer, 

45 the shim 55 intercepts IP packets from applications 56, but 
instead of referring back to the applications level routine, 
checks the destination address (which can be in TCP format, 
UDP format, and so forth), establishes a session key by 
communications with the authentication server, converts the 

50 session key into a format which can be used to encrypt the 
IP packet, and sends the IP packet towards the destination, 
all by carrying out the necessary operations at the network 
driver level, in a manner similar to that utilized by the 
above-mentioned SnareNet software program, but with the 

55 difference that the authenticating communications link and 
key generation is carried out by packets addressed to a 
corresponding layer 56 of the authentication server, which 
may be further connected to an applications server 57. 
It will be noted that since the IP packets are not distin- 

60 guishable by content, the network driver layer shim could be 
used as an additional level of security, rather than as an 
alternative to applications level encryption, with the 
encrypted files generated by software 20 being further 
encrypted by shim 55 before transmission to the authenti- 

65 cation server or associated gateway. 

The overall system utilizing the authentication client 
software illustrated in FIGS. 3-5 is schematically illustrated 
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in FIG. 6. The principal components of the overall system a call initiation request, either directly from a supported 

are the client computers containing software of the type applications program 27 or from a programs 36 and 37 via 

illustrated in FIGS. 2-5, including client authentication one of the shims 50 and 53, step 101 is step by which the 

software 20 and shims 50, 53, and/or 55, and applications program 20 addresses the authentication server, step 102 is 

with communications capabilities (represented by applica- 5 tne step by which the client and server are mutually authen- 

tions 27, 36, 37, and 56 on one client, and application 45 on ticated and tne session keys gene rated using, for example, 

the other). For purposes of illustration, the client of FIG. 6 lhe procedure described in U.S. Pat. No. 5,602,918, and step 

is thus depicted as including .applications for^mmumcating m ^ |hc b whkh 20 funher 

at the highest evels, such as the SmartGATE™ proxy communications rece ived directly or via shims 50 and 53 

application, applications for communicating at the network „ c ,. , 

rr » rr & 10 from the applications programs 27, 36, and 37. 

driver level with corresponding applications connected to vv v & ' 

the lower layer of the authentication server, and peer-to-peer For peer-to-peer communications, step 105, which is part 

applications with no capability of communicating with of ste P 100 > * the ste P b y which the P eer address 1S supplied 

SmartGATE™, but which use sockets or TDI protocols t0 P ro g ram 20 » steps 106 and 107 are identical to steps 101 

recognized by the shims aQ d step 108 is the step by which communications 

In the case of the SmartGATE™ proxy application, com- 15 chaD ° el 6 U 3 * ho ™ m FIG : 6 * estabUshcd ' ste P 109 * the 

munications are established in the same manner as in the ste P bv whl <* l he destination computer authenticated by the 

currently available version of the SmartGATE™ authenti- ^ ™ bled to decrypt communications received over 

cation client software, and as described in U.S. Pat. No. chanQel 62 > and ste P 110 . 1S th ° ste P b y which V°& am 20 

5,602,918, the communications link being indicated by , ft cn ^P te tbe communications. It will of course be appreci- 

arrows 60 and 61, with arrow 60 representing the client/ 20 atedtha ! these ste ? s re P rese l nt onl y a summar y of the / te P s 

server response channel used to authenticate the parties and mvo u lved m ca ™ out the V cscn \ "^nUon, and that 

generate the session key further steps will be apparent to those skilled in the art based 

y . i c ' . . ..... on the above description of the apparatus and software 

In the case of a peer-to-peer application, in which the ,. t c r . , . c . 

. . . . r . \ j- I i- i « portions of the preferred embodiment of the invention. 

clients wish to communicate over a direct link 62, the -,, „.,*, M1 . . 

invention provides for the function calls establishing the Havmg thus described various preferred embodiments of 

communications to be intercepted and the initialization to invention, those skilled m the art will appreciate that 

procedure routed through channel 61 to the authentication va ™tions and modifications of the preferred embodiment 

server 23. Server 23 then opens a secured channel 63 to the mav be made Wlth j ° ut departing from the scope of the 

authentication client software 20 associated with peer appli- « ™ vcnl1 ™- 1 [ * accord ingly lDlended that the mvenUon not be 

cation 45 by performing the same mutual authentication lilted by me above descnption or accompanying drawings, 

procedure performed for the purpose of establishing channel buUhat 11 be defined m accordance with the appended 

63, and once the channel is established with its own session ^If" * ■ 

key, transmits information using the channel 63 session key ^ hat 15 claim ^ d ls: 

which allows the client to recreate the channel 60 session , 5 1; Apparatus for carrying out communications over a 

key for use in decrypting communications sent over channel multi-tier virtual private network, said network including a 

62. Alternatively, after establishing channel 63, the channel ***** and a Pl^ality of client computers, the server and 

60 session key could be used to transmit back to the original chent computers each including means for transmitting data 

sending party information necessary to recreate the channel 10 and recei ™g data from an open network, comprising: 

63 session key. In either case, the authentication server is ^ means for intercepting function calls and requests for 

thus used to establish a fully authenticated "tunnel" between service sent by an applications program on one of said 

the peer applications without the need to modify any of the client computers to a lower level set of communications 

sockets, TDI protocols, or hardware drivers on either of the drivers; 

client computers. While the transmitting peer application means for causing an applications level authentication and 

has no way of directly authenticating the receiving peer, only 45 encryption program in said one of said client computers 

a receiving peer authenticated by the authentication server to communicate with the server, generate a session key, 

will be able to generate the necessary session keys, and thus and use the session key generated by the applications 

each of the parties to the communication is effectively level authentication and encryption program to encrypt 

authenticated. files sent by the applications program before transmittal 

For the lower layer application 56, a similar protocol may 50 over said open network, and 

be employed, in which the attempted communication means for intercepting files packaged by a transport driver 

between lower layer applications is intercepted, and the interface layer to form packets and encrypting the 

communications link to the authentication server is used to packets using a session key generated during commu- 

generate a session key, which is then used to encrypt the nications between corresponding lower layers of the 

packets or datagrams being sent. In this case, the destination 55 server and said one of said client computers, 

must be the lower layer of the authentication server, and thus 2. Apparatus for carrying out communications over a 

the communications link is indicated by a separate channel multi-tier virtual private network, said network including a 

67. server and a plurality of client computers, the server and 

Finally, the procedures associated with the network illus- client computers each including means for transmitting data 

trated in FIG. 6 are summarized in the flowchart of FIG. 7. 60 t0 and receiving data from an open network, comprising: 

For communications directly with the applications level means for intercepting function calls and requests for 

portion of the server 23, steps 100-103 are used, while for service sent by an applications program on one of said 

peer-to-peer communications, steps 104-109 are used, and client computers to a lower level set of communications 

for network driver level communications, steps 110-114 are drivers; and 

uscd . 65 means for causing an applications level authentication and 

In particular, step 100 by which the applications level encryption program in said one of said client computers 

authentication program 20 illustrated in FIGS. 3-5 receives to communicate with the server, generate a session key, 
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and use the session key generated by the applications 
level authentication and encryption program to encrypt 
files sent by the applications program before transmittal 
over said open network, and 

further comprising means for intercepting a destination 5 
address during initialization of communications 
between said one of said client computers and a second 
of said client computers on said virtual private network; 

means for causing said applications level authentication 
and encryption program to communicate with the 10 
server to in order to enable the applications level 
authentication and encryption program to generate said 
session key; 

means for transmitting said destination address to said ]5 
server; 

means for causing said server to communicate with the 
second of said two client computers; 

means for enabling said second of said two client com- 
puters to recreate the session key; 20 

means for causing said authentication software to encrypt 
files to be sent to the destination address using the 
session key; and 

means for transmitting the encrypted files directly to the 
destination address. 25 

3. Apparatus as claimed in claim 2, wherein said means 
for intercepting the destination address is carried out by a 
shim positioned between a peer-to-peer applications pro- 
gram and a layer of a communications driver architecture of 
said one of the two client computers. 30 

4. A multi-tier virtual private network, comprising: 

a server and a plurality of client computers, the server and 
client computers each including means for transmitting 
data to and receiving data from an open network, 35 
wherein said means for transmitting data to and receiving 
data from the open network includes, in any client 
computer initiating communications with the server: 
applications level encryption and authentication soft- 
ware arranged to communicate with the server in 40 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; 45 
at least one lower level set of communications drivers; 
and a shim arranged to intercept function calls and 
requests for service sent by an applications program 
to the lower level set of communications drivers in 
order to cause the applications level authentication 50 
and encryption program to communicate with the 
server, generate said session key, and encrypt files 
sent by the applications program before transmittal 
over said open network, 
wherein said lower level set of communications drivers 55 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files as 
packets capable of being routed over the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and an applications 60 
socket for facilitating service requests by said applica- 
tions program to the transport driver interface layer, 
and wherein said shim is a socket shim positioned 
between the applications program and the socket to 
intercept function calls to the socket in order to cause 65 
the applications level authentication and encryption 
program to communicate with the server, generate said 
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session key, and encrypt files sent by the applications 
program before the files are packaged by the transport 
driver interface layer, and 
wherein said applications program is a peer-to-peer com- 
munications program, wherein a peer application des- 
tination address, included in said function calls to the 
socket, is diverted by the socket shim, and wherein a 
destination address including said intercepted function 
calls is supplied to the server during communications 
with the server, causing the service to establish a 
communications link with a peer application, mutually 
authenticate the peer application, and enable the peer 
application to reconstruct the session key in order to 
receive encrypted files sent by the peer-to-peer com- 
munications program over the open network. 

5. A multi-tier virtual private network, comprising: 

a server and a plurality of client computers, the server and 
client computers each including means for transmitting 
data to and receiving data from an open network, 
wherein said means for transmitting data to and receiving 
data from the open network includes, in any client 
computer initiating communications with the server: 
applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; 

at least one lower level set of communications drivers; 
and a shim arranged to intercept function calls and 
requests for service sent by an applications program 
to the lower level set of communications drivers in 
order to cause the applications level authentication 
and encryption program to communicate with the 
server, generate said session key, and encrypt files 
sent by the applications program before transmittal 
over said open network, 
wherein said lower level set of communications drivers 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files as 
packets capable of being routed over the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and an applications 
socket for facilitating service requests by said applica- 
tions program to the transport driver interface layer, 
and wherein said shim is a socket shim positioned 
between the applications program and the socket to 
intercept function calls to the socket in order to cause 
the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files sent by the applications 
program before the files are packaged by the transport 
driver interface layer, and 
further including a transport driver interface shim posi- 
tioned between the transport driver interface layer and 
a second applications program, for intercepting 
requests from the second applications program for 
service by the transport driver interface layer in order 
to cause the applications level authentication and 
encryption program to communicate with the server, 
generate said session key, and encrypt files sent by the 
applications program before the files are packaged by 
the transport driver interface layer. 

6. A multi-tier virtual private network as claimed in claim 
5, further comprising a network driver layer shim positioned 


03/18/2004, EAST Version: 1.4.1 


6,061,796 


15 


16 


between the network driver layer and the transport driver 
interface layer and arranged to intercept files packaged by 
the transport driver interface layer and encrypt the files using 
a session key generated during communications with a lower 
layer of the server. 5 

7. A multi-tier virtual private network, comprising: 

a server and a plurality of client computers, the server and 
client computers each including means for transmitting 
data to and receiving data from an open network, 
wherein said means for transmitting data to and receiving 10 
data from the open network includes, in an client 
computer initiating communications with the server: 
applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; 

at least one lower level set of communications drivers; 
and a shim arranged to intercept function calls and 20 
requests for service sent by an applications program 
to the lower level set of communications drivers in 
order to cause the applications level authentication 
and encryption program to communicate with the 
server, generate said session key, and encrypt files 25 
sent by the applications program before transmittal 
over said open network, and 
wherein said lower level set of communications drivers 
includes a network driver layer, and a transport driver 
interface layer arranged to package applications files as 30 
packets capable of being routed over the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and wherein said 
shim is a transport driver interface layer shim posi- 
tioned between the applications program and the trans- 35 
port driver interface layer to intercept service requests 
by the applications program to the transport driver 
interface layer in order to cause the applications level 
authentication and encryption program to communicate 
with the server, generate said session key, and encrypt 
files sent by the applications program before the files 40 
are packaged by the transport driver interface layer. 

8. A multi-tier virtual private network as claimed in claim 
7, wherein said applications program is a peer-to-peer com- 
munications program, and wherein a peer application des- 
tination address, included in said intercepted requests for 45 
service, is diverted by the transport driver interface layer 
shim and supplied to the server during communications with 
the server, causing the service to establish a communications 
link with a peer application, mutually authenticate the peer 
application, and enable the peer application to reconstruct 50 
the session key in order to receive encrypted files sent by the 
peer-to-peer communications program over the open net- 
work. 

9. A multi-tier virtual private network as claimed in claim 

7, further comprising a network driver layer shim positioned 55 
between the network driver layer and the transport driver 
interface layer and arranged to intercept files packaged by 
the transport driver interface layer and encrypt the files using 
a session key generated during communications with a lower 
layer of the server. 60 

10. A multi-tier virtual private network, comprising: 

a server and a plurality of client computers, the server and 
client computers each including means for transmitting 
data to and receiving data from an open network, 

wherein said means for transmitting data to and receiving 65 
data from the open network includes, in any client 
computer initiating communications with the server: 


applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; and 

at least one lower level set of communications drivers, 
wherein said lower level set of communications drivers 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files 
as packets capable of being routed over the open 
network and supply the packets to the network driver 
layer for transmission to the open network, and a 
network driver layer shim positioned between the 
transport driver interface layer and the network 
driver layer and arranged to intercept files packaged 
by the transport driver interface layer and encrypt the 
files using a session key generated during commu- 
nications with a lower layer of the server. 

11. A multi-tier virtual private network, comprising: 

a server and a plurality of client computers, the server and 
client computers each including means for transmitting 
data to and receiving data from an open network, 
wherein said means for transmitting data to and receiving 
data from the open network includes, in any client 
computer initiating communications with the server: 
applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; and 

further comprising means for securing peer-to-peer com- 
munications between applications on two of said client 
computers, said peer-to-peer communications securing 
means comprising: 

means for intercepting a destination address during 
initialization of communications by a first of said 
two client computers; 

means for causing said authentication software to com- 
municate with the server to carry out functions a.) 
and b.); 

means for transmitting said destination address to said 
server; 

means for causing said server to carry-out functions a.) 
and b.) with respect to the second of said two client 
computers; 

means for enabling said second of said two client 

computers to recreate the session key; 
means for causing said authentication software to 

encrypt files to be sent to the destination address 

using the session key; 
means for transmitting the encrypted files directly to 

the destination address. 

12. A multi-tier virtual private network as claimed in 
claim 11, wherein said means for intercepting the destination 
address comprises a shim positioned between the peer-to- 
pecr applications program and a layer of a communications 
driver architecture of said first of the two client computers. 

13. A multi-tier virtual private network as claimed in 
claim 11, wherein said shim is positioned above a socket, the 
socket being positioned above a transport driver layer of said 
communications driver architecture. 

14. A multi-tier virtual private network as claimed in 
claim 11, wherein said shim is positioned above a transport 
driver layer of said communications driver architecture. 
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15. Computer software for installation on a client com- 
puter of a multi-tier virtual private network, said network 
including a server and a plurality of client computers, the 
server and client computers each including means for trans- 
mitting data to and receiving data from an open network, 
wherein said computer software includes: 

applications level encryption and authentication software 
arranged to communicate with the server in order to: a.) 
mutually authenticate the server and the client com- 
puter initiating communications with the server and b.) 
generate a session key for use by the client computer 
initiating communications to encrypt files; 

and a shim arranged to intercept function calls and 
requests for service sent by an applications program to 
a lower level set of communications drivers in order to 
cause the applications level authentication and encryp- 
tion program to communicate with the server, generate 
said session key, and encrypt files sent by the applica- 
tions program before transmittal over said open 
network, 

wherein said lower level set of communications drivers 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files as 
packets capable of being routed over the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and an applications 
socket for facilitating service requests by said applica- 
tions program to the transport driver interface layer, 
and wherein said shim is a socket shim positioned 
between the applications program and the socket to 
intercept function caDs to the socket in order to cause 
the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files sent by the applications 
program before the files are packaged by the transport 
driver interface layer, and 

wherein said applications program is a peer-to-peer com- 
munications program, wherein a peer application des- 
tination address, included in said function calls to the 
socket, is diverted by the socket shim, and wherein a 
destination address including said intercepted function 
calls is supplied to the server during communications 
with the server, causing the service to establish a 
communications link with a peer application, mutually 
authenticate the peer application, and enable the peer 
application to reconstruct the session key in order to 
receive encrypted files sent by the peer-to-peer com- 
munications program over the open network. 

16. Computer software for installation on a client com- 
puter of a multi-tier virtual private network, said network 
including a server and a plurality of client computers, the 
server and client computers each including means for trans- 
mitting data to and receiving data from an open network, 

wherein said computer software includes: 

applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initialing communications to encrypt 
files; 

and a shim arranged to intercept function calls and 
requests for service sent by an applications program 
to a lower level set of communications drivers in 
order to cause the applications level authentication 
and encryption program to communicate with the 
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server, generate said session key, and encrypt files 
sent by the applications program before transmittal 
over said open network, 
wherein said lower level set of communications drivers 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files as 
packets capable of being routed over the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and an applications 
socket for facilitating service requests by said applica- 
tions program to the transport driver interface layer, 
and wherein said shim is a socket shim positioned 
between the applications program and the socket to 
intercept function calls to the socket in order to cause 
the applications level authentication and encryption 
program to communicate with the server, generate said 
session key, and encrypt files sent by the applications 
program before the files are packaged by the transport 
driver interface layer, and 
further including a transport driver interface shim posi- 
tioned between the transport driver interface layer and 
a second applications program, for intercepting 
requests from the second applications program for 
service by the transport driver interface layer in order 
to cause the applications level authentication and 
encryption program to communicate with the server, 
generate said session key, and encrypt files sent by the 
applications program before the files are packaged by 
the transport driver interface layer. 

17. Computer software as claimed in claim 16, further 
comprising a network driver layer shim positioned between 
the network driver layer and the transport driver interface 
layer and arranged to intercept files packaged by the trans- 
port driver interface layer and encrypt the files using a 
session key generated during communications with a lower 
layer of the server. 

18. Computer software for installation on a client com- 
puter of a multi-tier virtual private network, said network 
including a server and a plurality of client computers, the 
server and client computers each including means for trans- 
mitting data to and receiving data from an open network, 

wherein said computer software includes: 

applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; 

and a shim arranged to intercept function calls and 
requests for service sent by an applications program 
to a lower level set of communications drivers in 
order to cause the applications level authentication 
and encryption program to communicate with the 
server, generate said session key, and encrypt files 
sent by the applications program before transmittal 
over said open network, and 
wherein said lower level set of communications drivers 
includes a network driver layer, and a transport driver 
interface layer arranged to package applications files as 
packets capable of being routed oyer the open network 
and supply the packets to the network driver layer for 
transmission to the open network, and wherein said 
shim is a transport driver interface layer shim posi- 
tioned between the applications program and the trans- 
port driver interface layer to intercept service requests 
by the applications program to the transport driver 
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interface layer in order to cause the applications level 
authentication and encryption program to communicate 
with the server, generate said session key, and encrypt 
files sent by the applications program before the files 
are packaged by the transport driver interface layer. 

19. Computer software as claimed in claim 18, wherein 
said applications program is a peer-to-peer communications 
program, and wherein a peer application destination address, 
included in said intercepted requests for service, is diverted 
by the transport driver interface layer shim and supplied to 
the server during communications with the server, causing 
the service to establish a communications link with a peer 
application, mutually authenticate the peer application, and 
enable the peer application to reconstruct the session key in 
order to receive encrypted files sent by the peer-to-peer 
communications program over the open network. 15 

20. Computer software as claimed in claim 18, further 
comprising a network driver layer shim positioned between 
the network driver layer and the transport driver interface 
layer and arranged to intercept files packaged by the trans- 
port driver interface layer and encrypt the files using a 20 
session key generated during communications with a lower 
layer of the server. 

21. Computer software for installation on a client com- 
puter of a multi-tier virtual private network, said network 
including a server and a plurality of client computers, the 
server and client computers each including means for trans- 
mitting data to and receiving data from an open network, 

wherein said computer software includes: 

applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; and 

at least one lower level set of communications drivers, 
wherein said lower level set of communications drivers 
includes a network driver layer, a transport driver 
interface layer arranged to package applications files 
as packets capable of being routed over the open 
network and supply the packets to the network driver 
layer for transmission to the open network, and a 
network driver layer shim positioned between the 
transport driver interface layer and the network 
driver layer and arranged to intercept files packaged 
by the transport driver interface layer and encrypt the 45 
files using a session key generated during commu- 
nications with a lower layer of the server. 

22. Computer software for installation on a client com- 
puter of a multi-tier virtual private network, said network 
including a server and a plurality of client computers, the 50 
server and client computers each including means for trans- 
mitting data to and receiving data from an open network, 

wherein said computer software includes: 

applications level encryption and authentication soft- 
ware arranged to communicate with the server in 
order to: a.) mutually authenticate the server and the 
client computer initiating communications with the 
server and b.) generate a session key for use by the 
client computer initiating communications to encrypt 
files; and 

further comprising means for securing peer-to-peer com- 
munications between applications on two of said client 
computers, said peer-to-peer communications securing 
means comprising: 

means for intercepting a destination address during 65 
initialization of communications by a first of said 
two client computers; 
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means for causing said authentication software to com- 
municate with the server to carry out functions a.) 
and b.); 

means for transmitting said destination address to said 
server; 

means for causing said server to carry -out functions a.) 
and b.) with respect to the second of said two client 
computers; 

means for enabling said second of said two client 

computers to recreate the session key; 
means for causing said authentication software to 

encrypt files to be sent to the destination address 

using the session key; 
means for transmitting the encrypted files directly to 

the destination address. 

23. Computer software as claimed in claim 22, wherein 
said means for intercepting the destination address com- 
prises a shim positioned between the peer-to-peer applica- 
tions program and a layer of a communications driver 
architecture of said first of the two client computers. 

24. Computer software as claimed in claim 22, wherein 
said shim is positioned above a socket, the socket being 
positioned above a transport driver layer of said communi- 
cations driver architecture. 

25. Computer software as claimed in claim 22, wherein 
said shim is positioned above a transport driver layer of said 
communications driver architecture. 

26. A method of carrying out communications over a 
multi-tier virtual private network, said network including a 
server and a plurality of client computers, the server and 
client computers each including means for transmitting data 
to and receiving data from an open network, comprising the 
steps of: 

intercepting function calls and requests for service sent by 
an applications program in one of said client computers 
to a lower level set of communications drivers; 

causing an applications level authentication and encryp- 
tion program in said one of said client computers to 
communicate with the server, generate a session key, 
and use the session key generated by the applications 
level authentication and encryption program to encrypt 
files sent by the applications program before transmittal 
over said open network; and 

intercepting files packaged by a transport driver interface 
layer to form packets and encrypting the packets using 
a session key generated during communications 
between a lower layer of the server and a lower layer 
of said one of said client computers. 

27. A method of carrying out communications over a 
multi-tier virtual private network, said network including a 
server and a plurality of client computers, the server and 
client computers each including means for transmitting data 
to and receiving data from an open network, comprising the 
steps of: 

intercepting function calls and requests for service sent by 
an applications program in one of said client computers 
to a lower level set of communications drivers; 

causing an applications level authentication and encryp- 
tion program said one of said client computers to 
communicate with the server, generate a session key, 
and use the session key generated by the applications 
level authentication and encryption program to encrypt 
files sent by the applications program before transmittal 
over said open network; 

intercepting a destination address during initialization of 
communications between said one of said client com- 
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puters and a second of said client computers on said 
virtual private network; 

causing said applications level authentication and encryp- 
tion program to communicate with the server in order 
to enable the applications level authentication and 5 
encryption program to generate said session key; 

transmitting said destination address to said server; 

causing said server to communicate with the second of 
said two client computers; 1Q 

enabling said second of said two client computers to 
recreate the session key; 
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causing said authentication software to encrypt files to be 
sent to the destination address using the session key; 
and 

transmitting the encrypted files directly to the destination 
address. 

28. A method as claimed in claim 27, wherein said step of 
intercepting the destination address is carried out by a shim 
positioned between a peer-to-peer applications program and 
a layer of a communications driver architecture of said one 
of the two client computers. 

***** 
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